Since a few weeks Azure AD Recommendations is available in preview. While reviewing my recommendations it showed me that some users had used SMS or Voice call as their MFA method last week. Because this is still their secondary MFA method it could be a false-positive. Maybe they had no access to their Authenticator App for some reason?
Using the Authenticator App for MFA is best practice and most secure. Therefor I had to find out which users are not using it as their default MFA method.
After doing some research I found this script which was built by Microsoft. With this script you are able to verify all the user objects in your tenant and their default MFA method. Examples on how to use can be found here. I’ll add them below for your reference.
Creates per user recommendations for all users in the target tenant and displays the results to screen:
.\MfaAuthMethodAnalysis.ps1 -TenantId 9959f32b-837b-41db-b6e5-32277e344292
Creates per user recommendations for each user in the target group and displays the results to screen:
.\MfaAuthMethodAnalysis.ps1 -TenantId 9959f32b-837b-41db-b6e5-32277e344292 -TargetGroup 6424cd24-ee16-472f-bad6-85427c9febc2
Creates a date and time stamped CSV file in the scripts execution directory with per user recommendations for all users in the tenant. Has verbose notation to screen:
.\MfaAuthMethodAnalysis.ps1 -TenantId 9959f32b-837b-41db-b6e5-32277e344292 -CsvOutput -Verbose
Creates a date and time stamped CSV file in the scripts execution directory with per user recommendations for all users in the tenant. Includes location information: UPN domain, usage location and country:
.\MfaAuthMethodAnalysis.ps1 -TenantId 9959f32b-837b-41db-b6e5-32277e344292 -LocationInfo -CsvOutput
Output / Results
I prefer the third option, which shows some progress in the Powershell Shell and creates a nice CSV file for formatting.
The actual CSV file output is something like below. I applied a filter which shows all the identities who are not using the Authenticator App as their default method.
The picture below shows some users who have 3, 4 of 5 Authentication Methods (MfaAuthMethodCount) configured but still not using the Authenticator App as default MFA method. These identities can change their default method with only little effort. Identities who only have 1 or 2 MFA methods would need to setup the Authenticator app first!
Note: All identities who have PhoneAppNotification, PhoneAppOTP are using the Authenticator App. Identities having OneWaySMS, TwoWayVoiceMobile or TwoWayVoiceOffice should change their default method via https://aka.ms/mfasetup.